diff v1→v5 (patch 5) | series

Inter-revision diff: patch 5

Comparing v1 (message) to v5 (message)
--- v1
+++ v5
@@ -1,61 +1,90 @@
+This sysctl enables to propagate executable permission to userspace
+thanks to the O_MAYEXEC flag.
+
 Signed-off-by: Mickaël Salaün <mic@digikod.net>
-Reviewed-by: Philippe Trébuchet <philippe.trebuchet@ssi.gouv.fr>
 Reviewed-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr>
+Cc: Aleksa Sarai <cyphar@cyphar.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
 Cc: Jonathan Corbet <corbet@lwn.net>
 Cc: Kees Cook <keescook@chromium.org>
-Cc: Mickaël Salaün <mickael.salaun@ssi.gouv.fr>
 ---
- Documentation/admin-guide/LSM/Yama.rst | 41 ++++++++++++++++++++++++++
- 1 file changed, 41 insertions(+)
 
-diff --git a/Documentation/admin-guide/LSM/Yama.rst b/Documentation/admin-guide/LSM/Yama.rst
-index d0a060de3973..a72c86a24b35 100644
---- a/Documentation/admin-guide/LSM/Yama.rst
-+++ b/Documentation/admin-guide/LSM/Yama.rst
-@@ -72,3 +72,44 @@ The sysctl settings (writable only with ``CAP_SYS_PTRACE``) are:
-     ``PTRACE_TRACEME``. Once set, this sysctl value cannot be changed.
+Changes since v3:
+* Switch back to O_MAYEXEC and highlight that it is only taken into
+  account by openat2(2).
+
+Changes since v2:
+* Update documentation with the new RESOLVE_MAYEXEC.
+* Improve explanations, including concerns about LD_PRELOAD.
+
+Changes since v1:
+* Move from LSM/Yama to sysctl/fs .
+---
+ Documentation/admin-guide/sysctl/fs.rst | 44 +++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+diff --git a/Documentation/admin-guide/sysctl/fs.rst b/Documentation/admin-guide/sysctl/fs.rst
+index 2a45119e3331..d55615c36772 100644
+--- a/Documentation/admin-guide/sysctl/fs.rst
++++ b/Documentation/admin-guide/sysctl/fs.rst
+@@ -37,6 +37,7 @@ Currently, these files are in /proc/sys/fs:
+ - inode-nr
+ - inode-state
+ - nr_open
++- open_mayexec_enforce
+ - overflowuid
+ - overflowgid
+ - pipe-user-pages-hard
+@@ -165,6 +166,49 @@ system needs to prune the inode list instead of allocating
+ more.
  
- The original children-only logic was based on the restrictions in grsecurity.
+ 
++open_mayexec_enforce
++--------------------
 +
-+open_mayexec_enforce
-+====================
++While being ignored by :manpage:`open(2)` and :manpage:`openat(2)`, the
++``O_MAYEXEC`` flag can be passed to :manpage:`openat2(2)` to only open regular
++files that are expected to be executable.  If the file is not identified as
++executable, then the syscall returns -EACCES.  This may allow a script
++interpreter to check executable permission before reading commands from a file,
++or a dynamic linker to only load executable shared objects.  One interesting
++use case is to enforce a "write xor execute" policy through interpreters.
 +
-+The ``O_MAYEXEC`` flag can be passed to :manpage:`open(2)` to only open files
-+(or directories) that are executable.  If the file is not identified as
-+executable, then the syscall returns -EACCES.  This may allow a script
-+interpreter to check executable permission before reading commands from a file.
-+One interesting use case is to enforce a "write xor execute" policy through
-+interpreters.
++The ability to restrict code execution must be thought as a system-wide policy,
++which first starts by restricting mount points with the ``noexec`` option.
++This option is also automatically applied to special filesystems such as /proc
++.  This prevents files on such mount points to be directly executed by the
++kernel or mapped as executable memory (e.g. libraries).  With script
++interpreters using the ``O_MAYEXEC`` flag, the executable permission can then
++be checked before reading commands from files. This makes it possible to
++enforce the ``noexec`` at the interpreter level, and thus propagates this
++security policy to scripts.  To be fully effective, these interpreters also
++need to handle the other ways to execute code: command line parameters (e.g.,
++option ``-e`` for Perl), module loading (e.g., option ``-m`` for Python),
++stdin, file sourcing, environment variables, configuration files, etc.
++According to the threat model, it may be acceptable to allow some script
++interpreters (e.g. Bash) to interpret commands from stdin, may it be a TTY or a
++pipe, because it may not be enough to (directly) perform syscalls.
 +
-+Thanks to this flag, Yama enables to enforce the ``noexec`` mount option (i.e.
-+the underlying mount point of the file is mounted with MNT_NOEXEC or its
-+underlying superblock is SB_I_NOEXEC) not only on ELF binaries but also on
-+scripts.  This may be possible thanks to script interpreters using the
-+``O_MAYEXEC`` flag.  The executable permission is then checked before reading
-+commands from a file, and thus can enforce the ``noexec`` at the interpreter
-+level by propagating this security policy to the scripts.  To be fully
-+effective, these interpreters also need to handle the other ways to execute
-+code (for which the kernel can't help): command line parameters (e.g., option
-+``-e`` for Perl), module loading (e.g., option ``-m`` for Python), stdin, file
-+sourcing, environment variables, configuration files...  According to the
-+threat model, it may be acceptable to allow some script interpreters (e.g.
-+Bash) to interpret commands from stdin, may it be a TTY or a pipe, because it
-+may not be enough to (directly) perform syscalls.
++There are two complementary security policies: enforce the ``noexec`` mount
++option, and enforce executable file permission.  These policies are handled by
++the ``fs.open_mayexec_enforce`` sysctl (writable only with ``CAP_MAC_ADMIN``)
++as a bitmask:
 +
-+Yama implements two complementary security policies to propagate the ``noexec``
-+mount option or the executable file permission.  These policies are handled by
-+the ``kernel.yama.open_mayexec_enforce`` sysctl (writable only with
-+``CAP_MAC_ADMIN``) as a bitmask:
++1 - Mount restriction: checks that the mount options for the underlying VFS
++    mount do not prevent execution.
 +
-+1 - mount restriction:
-+    check that the mount options for the underlying VFS mount do not prevent
-+    execution.
++2 - File permission restriction: checks that the to-be-opened file is marked as
++    executable for the current process (e.g., POSIX permissions).
 +
-+2 - file permission restriction:
-+    check that the to-be-opened file is marked as executable for the current
-+    process (e.g., POSIX permissions).
++Code samples can be found in tools/testing/selftests/openat2/omayexec_test.c
++and at
++https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC .
 +
-+Code samples can be found in tools/testing/selftests/yama/test_omayexec.c and
-+https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC .
++
+ overflowgid & overflowuid
+ -------------------------
+ 
 -- 
-2.20.0.rc2
+2.26.2
+
`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help